The U.S. Department of Justice has charged four Chinese nationals with hacking into credit reporting agency Equifax in a 2017 breach that exposed the personal information of nearly 150 million U.S. customers.
The indictment stems from the 2017 cyberattack on the credit agency’s networks. The breach resulted in a settlement of at least $575 million with the Federal Trade Commission.
According to a press statement, a federal grand jury in Atlanta returned the nine-count indictment last week against Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), who were allegedly members of the PLA’s 54th Research Institute, an arm of the Chinese military.
The department alleges that the charged individuals worked together to hack into Equifax’s networks, gained access to their computers and stole the sensitive personal information of about 145 million Americans.
According to the department, the Chinese hackers exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. There, they conducted reconnaissance of the company’s online dispute portal and to obtain login credentials. They spent several weeks running queries to identify Equifax’s database structure and searching for sensitive information within the system.
Once relevant files were accessed, the four hackers stored the stolen data in temporary output files, compressed and divided the files and were ultimately able to download and exfiltrate the data from the company’s network to computers outside the U.S.
Read Next: Equifax Data Breach Could Have Been Avoided
The attackers ran about 9,000 queries on Equifax’s system and obtained, names, birth dates and social security numbers for almost half of all Americans.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said U.S. Attorney General William P. Barr said in a statement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
The department also alleges that the defendants stole trade secrets from Equifax, like data compilations and database designs.
They also took steps to evade detection, including routing traffic through 34 servers in 20 countries to cloak their true location, used encrypted communication channels to blend in with normal activity on Equifax’s network and erased data on a daily basis to cover their tracks, the department said.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.